static gboolean
log_into_pkcs11_session (GckSession *session, GError **error)
{
GckSessionInfo *sess;
GckTokenInfo *info;
GckSlot *slot;
gboolean login;
/* Perform the necessary 'user' login to secrets token. Doesn't unlock anything */
slot = gck_session_get_slot (session);
info = gck_slot_get_token_info (slot);
login = info && (info->flags & CKF_LOGIN_REQUIRED);
gck_token_info_free (info);
g_object_unref (slot);
if (login) {
sess = gck_session_get_info (session);
if (sess->state == CKS_RO_USER_FUNCTIONS ||
sess->state == CKS_RW_USER_FUNCTIONS)
login = FALSE;
gck_session_info_free (sess);
}
if (login && !gck_session_login (session, CKU_USER, NULL, 0, NULL, error))
return FALSE;
return TRUE;
}
gboolean
_gck_module_fire_authenticate_slot (GckModule *self, GckSlot *slot, gchar *label, gchar **password)
{
GckTokenInfo *info;
gchar *allocated = NULL;
gboolean ret;
g_assert (GCK_IS_MODULE (self));
info = gck_slot_get_token_info (slot);
if (info != NULL) {
/*
* We'll have tried to login at least once at this point,
* with NULL password. This means that CKF_PROTECTED_AUTHENTICATION_PATH
* tokens have had their chance and we don't need to prompt for it.
*/
if (info->flags & CKF_PROTECTED_AUTHENTICATION_PATH)
return FALSE;
if (label == NULL)
label = allocated = g_strdup (info->label);
gck_token_info_free (info);
}
g_signal_emit (self, signals[AUTHENTICATE_SLOT], 0, slot, label, password, &ret);
g_free (allocated);
return ret;
}
gboolean
_gck_module_fire_authenticate_object (GckModule *self, GckObject *object,
gchar *label, gchar **password)
{
GckTokenInfo *info;
GckSession *session;
GckSlot *slot;
gboolean ret;
g_assert (GCK_IS_MODULE (self));
g_assert (GCK_IS_OBJECT (object));
g_assert (password);
session = gck_object_get_session (object);
slot = gck_session_get_slot (session);
g_object_unref (session);
info = gck_slot_get_token_info (slot);
g_object_unref (slot);
if (info != NULL) {
if (info->flags & CKF_PROTECTED_AUTHENTICATION_PATH) {
gck_token_info_free (info);
*password = NULL;
return TRUE;
}
gck_token_info_free (info);
}
g_signal_emit (self, signals[AUTHENTICATE_OBJECT], 0, object, label, password, &ret);
return ret;
}
static gboolean
init_pin_for_uninitialized_slots (GList *modules, const gchar *master)
{
GError *error = NULL;
GList *slots, *l;
gboolean initialize;
GckTokenInfo *info;
GckSession *session;
g_return_val_if_fail (master, FALSE);
slots = gck_modules_get_slots (modules, TRUE);
for (l = slots; l; l = g_list_next (l)) {
info = gck_slot_get_token_info (l->data);
initialize = (info && !(info->flags & CKF_USER_PIN_INITIALIZED));
if (initialize) {
session = open_and_login_session (l->data, CKU_SO, NULL);
if (session != NULL) {
if (!gck_session_init_pin (session, (const guchar*)master, strlen (master), NULL, &error)) {
if (!g_error_matches (error, GCK_ERROR, CKR_FUNCTION_NOT_SUPPORTED))
g_warning ("couldn't initialize slot with master password: %s",
egg_error_message (error));
g_clear_error (&error);
}
g_object_unref (session);
}
}
gck_token_info_free (info);
}
gck_list_unref_free (slots);
return TRUE;
}
GckSession*
gkd_secret_service_get_pkcs11_session (GkdSecretService *self, const gchar *caller)
{
ServiceClient *client;
GError *error = NULL;
GckTokenInfo *info;
GckSlot *slot;
gboolean login;
g_return_val_if_fail (GKD_SECRET_IS_SERVICE (self), NULL);
g_return_val_if_fail (caller, NULL);
client = g_hash_table_lookup (self->clients, caller);
g_return_val_if_fail (client, NULL);
/* Open a new session if necessary */
if (!client->pkcs11_session) {
slot = gkd_secret_service_get_pkcs11_slot (self);
client->pkcs11_session = gck_slot_open_session_full (slot, GCK_SESSION_READ_WRITE,
CKF_G_APPLICATION_SESSION, &client->app,
NULL, NULL, &error);
if (!client->pkcs11_session) {
g_warning ("couldn't open pkcs11 session for secret service: %s",
egg_error_message (error));
g_clear_error (&error);
return NULL;
}
/* Perform the necessary 'user' login to secrets token. Doesn't unlock anything */
info = gck_slot_get_token_info (slot);
login = info && (info->flags & CKF_LOGIN_REQUIRED);
gck_token_info_free (info);
if (login && !gck_session_login (client->pkcs11_session, CKU_USER, NULL, 0, NULL, &error)) {
g_warning ("couldn't log in to pkcs11 session for secret service: %s",
egg_error_message (error));
g_clear_error (&error);
g_object_unref (client->pkcs11_session);
client->pkcs11_session = NULL;
return NULL;
}
}
return client->pkcs11_session;
}
